Win32:Malware-gen at c:\Windows\Temp\xxx.tmp\

Viruses and worms
1

Hi guys,

I have avast 4.8 Home edition. Virus database :

My system is infected with win32:Malware-Gen and I am not able clean my system from it.
I have tried doing a bootscan but the virus keeps coming back again. I again tried disabling the system restore and doing a bootscan but deleting the virus during the process but again after rebooting Windows (Vista 32bit Home, SP1) it again comes up.
I tried running MalwareBytes but it didnt find anything suspicious.

Now, avast is detecting a Trojan also Win32:Fabot [Trj] in the same path :o

Please Help!

Thanks a million…

Please Help!

2

Follow this guide from essexboy and post the MBAM and OTL log HERE
http://forum.avast.com/index.php?topic=53253.0

3

OTl Log

OTL logfile created on: 10-03-2010 22:43:59 - Run 1
OTL by OldTimer - Version 3.1.36.0 Folder = H:\InstalledSoftware\Win_ServicePacks\New Folder\New Folder
Windows Vista Home Premium Edition Service Pack 2, v.286 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.16670)
Locale: 00004009 | Country: India | Language: ENN | Date Format: dd-MM-yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 39.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 67.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 85.54 Gb Total Space | 51.17 Gb Free Space | 59.81% Space Free | Partition Type: NTFS
Drive D: | 11.21 Gb Total Space | 1.85 Gb Free Space | 16.52% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 70.73 Gb Total Space | 34.96 Gb Free Space | 49.43% Space Free | Partition Type: NTFS
Drive H: | 70.62 Gb Total Space | 22.92 Gb Free Space | 32.46% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive K: | 59.99 Gb Total Space | 59.96 Gb Free Space | 99.95% Space Free | Partition Type: NTFS

Computer Name: SOMU-PC
Current User Name: Somu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010-03-10 20:20:43 | 000,554,496 | ---- | M] (OldTimer Tools) – H:\InstalledSoftware\Win_ServicePacks\New Folder\New Folder\OTL.exe
PRC - [2010-02-24 22:35:03 | 000,202,256 | ---- | M] (RealNetworks, Inc.) – C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010-02-21 12:47:03 | 000,160,256 | ---- | M] (http://www.activibes.com/) – C:\ProgramData\Skype\Plugins\Plugins\4EA88456BBA64C9CABF04F82A96C1FE3\Kanji.exe
PRC - [2010-02-18 16:40:26 | 002,012,912 | ---- | M] (SUPERAntiSpyware.com) – G:\Softwares\SuperAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010-02-05 10:26:58 | 000,083,440 | ---- | M] (Google) – C:\Users\Somu\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
PRC - [2010-01-16 03:09:37 | 000,910,296 | ---- | M] (Mozilla Corporation) – C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010-01-07 16:07:10 | 001,394,000 | ---- | M] (Malwarebytes Corporation) – G:\Softwares\Malwarebytes’ Anti-Malware\mbam.exe
PRC - [2009-11-24 23:51:40 | 000,081,000 | ---- | M] (ALWIL Software) – H:\InstalledSoftware\Avast\ashDisp.exe
PRC - [2009-11-24 23:51:35 | 000,138,680 | ---- | M] (ALWIL Software) – H:\InstalledSoftware\Avast\ashServ.exe
PRC - [2009-11-24 23:51:21 | 000,254,040 | ---- | M] (ALWIL Software) – H:\InstalledSoftware\Avast\ashMaiSv.exe
PRC - [2009-11-24 23:48:48 | 000,352,920 | ---- | M] (ALWIL Software) – H:\InstalledSoftware\Avast\ashWebSv.exe
PRC - [2009-11-24 23:43:56 | 000,018,752 | ---- | M] (ALWIL Software) – H:\InstalledSoftware\Avast\aswUpdSv.exe
PRC - [2009-11-18 09:39:06 | 000,240,480 | ---- | M] (Microsoft Corp.) – C:\Program Files\MSN Toolbar\Platform\4.0.0360.0\mswinext.exe
PRC - [2009-08-18 05:59:22 | 001,529,728 | ---- | M] (Microsoft Corporation) – C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009-08-18 05:59:22 | 000,183,152 | ---- | M] (Microsoft Corporation) – C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2009-08-07 11:45:06 | 000,311,152 | ---- | M] (Microsoft Corporation) – C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
PRC - [2009-08-07 11:45:06 | 000,242,048 | ---- | M] (Microsoft Corporation) – C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009-07-17 05:42:14 | 000,288,080 | ---- | M] (Microsoft Corporation) – C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
PRC - [2009-02-20 04:16:52 | 000,030,312 | ---- | M] (Microsoft Corporation) – C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2009-01-30 16:57:50 | 002,927,616 | ---- | M] (Microsoft Corporation) – C:\Windows\explorer.exe
PRC - [2009-01-13 15:18:40 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) – C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\AEstSrv.exe
PRC - [2009-01-08 11:07:56 | 000,450,663 | ---- | M] (IDT, Inc.) – C:\Program Files\IDT\WDM\sttray.exe
PRC - [2009-01-08 11:07:56 | 000,237,661 | ---- | M] (IDT, Inc.) – C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\stacsv.exe
PRC - [2008-12-18 00:11:40 | 000,365,952 | ---- | M] () – C:\Program Files\SMINST\BLService.exe
PRC - [2008-12-11 02:56:36 | 000,842,816 | ---- | M] (DigitalPersona, Inc.) – C:\Program Files\DigitalPersona\Bin\DpAgent.exe
PRC - [2008-12-11 02:56:36 | 000,322,624 | ---- | M] (DigitalPersona, Inc.) – C:\Program Files\DigitalPersona\Bin\DpHostW.exe
PRC - [2008-11-19 02:35:44 | 000,914,224 | ---- | M] (Hewlett-Packard) – C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
PRC - [2008-11-18 13:09:42 | 000,599,344 | ---- | M] (Validity Sensors, Inc.) – C:\Windows\System32\vfsFPService.exe
PRC - [2008-01-21 02:23:42 | 000,026,112 | ---- | M] (Microsoft Corporation) – C:\Windows\System32\prevhost.exe
PRC - [2007-09-02 13:58:52 | 000,495,616 | ---- | M] () – G:\RocketDock\RocketDock.exe
PRC - [2007-02-09 23:59:56 | 000,089,968 | ---- | M] (Microsoft Corporation) – c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

========== Modules (SafeList) ==========

MOD - [2010-03-10 20:20:43 | 000,554,496 | ---- | M] (OldTimer Tools) – H:\InstalledSoftware\Win_ServicePacks\New Folder\New Folder\OTL.exe
MOD - [2009-01-30 16:49:28 | 001,686,528 | ---- | M] (Microsoft Corporation) – C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.16670_none_5cbe9ee0088446b4\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009-11-24 23:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] – H:\InstalledSoftware\Avast\ashServ.exe – (avast! Antivirus)
SRV - [2009-11-24 23:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] – H:\InstalledSoftware\Avast\ashMaiSv.exe – (avast! Mail Scanner)
SRV - [2009-11-24 23:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] – H:\InstalledSoftware\Avast\ashWebSv.exe – (avast! Web Scanner)
SRV - [2009-11-24 23:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] – H:\InstalledSoftware\Avast\aswUpdSv.exe – (aswUpdSv)
SRV - [2009-08-18 05:59:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] – C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE – (wlidsvc)
SRV - [2009-08-11 16:57:47 | 000,355,584 | ---- | M] (TuneUp Software GmbH) [On_Demand | Stopped] – C:\Windows\System32\TuneUpDefragService.exe – (TuneUp.Defrag)
SRV - [2009-08-07 11:45:06 | 000,242,048 | ---- | M] (Microsoft Corporation) [Auto | Running] – C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe – (SeaPort)
SRV - [2009-02-20 04:16:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] – C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe – (BcmSqlStartupSvc)
SRV - [2009-01-13 15:18:40 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] – C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\AEstSrv.exe – (AESTFilters)
SRV - [2009-01-08 11:07:56 | 000,237,661 | ---- | M] (IDT, Inc.) [Auto | Running] – C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\stacsv.exe – (STacSV)
SRV - [2008-12-18 00:11:40 | 000,365,952 | ---- | M] () [Auto | Running] – C:\Program Files\SMINST\BLService.exe – (Recovery Service for Windows)
SRV - [2008-12-11 02:56:36 | 000,322,624 | ---- | M] (DigitalPersona, Inc.) [Auto | Running] – C:\Program Files\DigitalPersona\Bin\DpHostW.exe – (DpHost)
SRV - [2008-11-18 13:09:42 | 000,599,344 | ---- | M] (Validity Sensors, Inc.) [Auto | Running] – C:\Windows\System32\vfsFPService.exe – (vfsFPService)
SRV - [2008-08-26 14:02:24 | 000,014,336 | ---- | M] (Agere Systems) [Disabled | Stopped] – C:\Program Files\LSI SoftModem\agrsmsvc.exe – (AgereModemAudio)
SRV - [2008-05-29 03:58:54 | 000,028,416 | ---- | M] (TuneUp Software GmbH) [Auto | Running] – C:\Windows\System32\uxtuneup.dll – (UxTuneUp)
SRV - [2008-01-21 02:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] – C:\Program Files\Windows Defender\MpSvc.dll – (WinDefend)
SRV - [2007-02-09 23:59:56 | 000,089,968 | ---- | M] (Microsoft Corporation) [Auto | Running] – c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe – (SQLWriter)
SRV - [2006-04-14 18:07:20 | 028,933,976 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] – c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe – (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)
SRV - [2006-04-14 18:05:58 | 000,240,416 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] – c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe – (SQLBrowser)
SRV - [2005-10-14 11:50:20 | 000,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] – c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe – (MSSQLServerADHelper)

========== Standard Registry (SafeList) ==========

4

========== Files - Modified Within 14 Days ==========

[2010-03-10 22:47:41 | 003,407,872 | -HS- | M] () – C:\Users\Somu\ntuser.dat
[2010-03-10 22:29:48 | 000,760,648 | ---- | M] () – C:\Windows\System32\PerfStringBackup.INI
[2010-03-10 22:29:48 | 000,649,990 | ---- | M] () – C:\Windows\System32\perfh009.dat
[2010-03-10 22:29:48 | 000,124,218 | ---- | M] () – C:\Windows\System32\perfc009.dat
[2010-03-10 22:28:57 | 000,003,216 | -H-- | M] () – C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010-03-10 22:28:57 | 000,003,216 | -H-- | M] () – C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010-03-10 22:00:00 | 000,000,462 | ---- | M] () – C:\Windows\tasks\1-Click Maintenance.job
[2010-03-10 21:57:00 | 000,000,904 | ---- | M] () – C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2178948046-532981448-767546519-1003UA.job
[2010-03-10 19:58:45 | 000,000,681 | ---- | M] () – C:\Users\Somu\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010-03-10 01:09:33 | 000,000,852 | ---- | M] () – C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2178948046-532981448-767546519-1003Core.job
[2010-03-09 22:55:07 | 000,145,408 | ---- | M] () – C:\Users\Somu\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-03-09 20:05:12 | 000,023,040 | ---- | M] () – C:\Users\Somu\Documents\Expenses Mar.xls
[2010-03-09 18:28:22 | 000,067,584 | --S- | M] () – C:\Windows\bootstat.dat
[2010-03-09 08:19:46 | 000,104,952 | ---- | M] () – C:\Users\Somu\AppData\Local\GDIPFONTCACHEV1.DAT
[2010-03-09 08:07:50 | 000,000,006 | -H-- | M] () – C:\Windows\tasks\SA.DAT
[2010-03-08 23:46:26 | 3218,251,776 | -HS- | M] () – C:\hiberfil.sys
[2010-03-08 23:45:34 | 000,524,288 | -HS- | M] () – C:\Users\Somu\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010-03-08 23:45:34 | 000,065,536 | -HS- | M] () – C:\Users\Somu\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010-03-08 23:44:38 | 000,376,184 | ---- | M] () – C:\Windows\System32\FNTCACHE.DAT
[2010-03-08 23:42:36 | 000,000,012 | ---- | M] () – C:\Windows\bthservsdp.dat
[2010-03-08 20:45:00 | 000,000,609 | ---- | M] () – C:\Users\Public\Desktop\Malwarebytes’ Anti-Malware.lnk
[2010-03-08 08:47:46 | 000,010,752 | ---- | M] () – C:\Windows\DCEBoot.exe
[2010-03-07 23:01:50 | 000,000,258 | RHS- | M] () – C:\ProgramData\ntuser.pol
[2010-03-07 22:56:39 | 000,000,036 | ---- | M] () – C:\Users\Somu\AppData\Local\housecall.guid.cache
[2010-02-28 22:18:55 | 000,025,088 | ---- | M] () – C:\Users\Somu\Documents\Expenses Feb.xls
[2010-02-28 14:59:55 | 000,001,392 | ---- | M] () – C:\Windows\System32\ealregsnapshot1.reg
[2010-02-27 21:59:58 | 000,021,035 | ---- | M] () – C:\Users\Somu\Documents\Expenses.xlsx
[2010-02-27 17:56:28 | 000,000,219 | ---- | M] () – C:\Windows\win.ini
[2010-02-26 20:37:13 | 000,139,128 | ---- | M] () – C:\Windows\System32\drivers\PnkBstrK.sys
[2010-02-26 20:37:02 | 000,215,128 | ---- | M] () – C:\Windows\System32\PnkBstrB.xtr
[2010-02-25 18:06:31 | 000,000,165 | -H-- | M] () – C:\Users\Somu\Documents~$Expenses.xlsx
[2 C:\Windows\System32*.tmp files → C:\Windows\System32*.tmp → ]
[1 C:\Windows*.tmp files → C:\Windows*.tmp → ]

========== Files Created - No Company Name ==========

5

[2010-03-10 19:58:45 | 000,000,681 | ---- | C] () – C:\Users\Somu\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010-03-08 23:46:26 | 3218,251,776 | -HS- | C] () – C:\hiberfil.sys
[2010-03-08 20:45:00 | 000,000,609 | ---- | C] () – C:\Users\Public\Desktop\Malwarebytes’ Anti-Malware.lnk
[2010-03-08 08:47:46 | 000,010,752 | ---- | C] () – C:\Windows\DCEBoot.exe
[2010-03-07 23:01:50 | 000,000,258 | RHS- | C] () – C:\ProgramData\ntuser.pol
[2010-03-07 22:56:39 | 000,000,036 | ---- | C] () – C:\Users\Somu\AppData\Local\housecall.guid.cache
[2010-02-28 22:16:04 | 000,023,040 | ---- | C] () – C:\Users\Somu\Documents\Expenses Mar.xls
[2010-02-28 14:59:55 | 000,001,392 | ---- | C] () – C:\Windows\System32\ealregsnapshot1.reg
[2010-02-28 14:59:16 | 000,025,088 | ---- | C] () – C:\Users\Somu\Documents\Expenses Feb.xls
[2010-02-25 18:06:31 | 000,000,165 | -H-- | C] () – C:\Users\Somu\Documents~$Expenses.xlsx
[2010-02-12 01:24:39 | 000,613,896 | ---- | C] () – C:\Users\Somu\AppData\Local\tmpDSC00383 - COPY.0
[2010-02-12 01:24:39 | 000,611,200 | ---- | C] () – C:\Users\Somu\AppData\Local\tmpDSC00383 - COPY.JPG
[2009-11-17 02:38:13 | 000,000,680 | ---- | C] () – C:\Users\Somu\AppData\Local\d3d9caps.dat
[2009-11-06 10:58:04 | 000,178,975 | ---- | C] () – C:\Windows\System32\xlive.dll.cat
[2009-10-29 22:34:43 | 000,139,128 | ---- | C] () – C:\Windows\System32\drivers\PnkBstrK.sys
[2009-10-29 22:34:43 | 000,138,056 | ---- | C] () – C:\Users\Somu\AppData\Roaming\PnkBstrK.sys
[2009-09-27 05:52:44 | 000,023,888 | ---- | C] () – C:\Users\Somu\AppData\Roaming\UserTile.png
[2009-08-21 18:55:33 | 000,000,000 | ---- | C] () – C:\ProgramData\LauncherAccess.dt
[2009-08-21 18:43:06 | 000,005,632 | ---- | C] () – C:\Windows\System32\drivers\StarOpen.sys
[2009-08-12 20:14:32 | 000,721,904 | ---- | C] () – C:\Windows\System32\drivers\sptd.sys
[2009-08-11 16:47:10 | 000,247,560 | ---- | C] () – C:\Windows\System32\prgiso.dll
[2009-08-11 16:47:09 | 004,244,744 | ---- | C] () – C:\Windows\System32\qtp-mt334.dll
[2009-08-11 16:43:22 | 000,000,025 | ---- | C] () – C:\Windows\cdplayer.ini
[2009-07-12 08:01:50 | 000,117,248 | ---- | C] () – C:\Windows\System32\EhStorAuthn.dll
[2009-07-11 09:16:15 | 000,145,408 | ---- | C] () – C:\Users\Somu\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009-07-04 03:51:08 | 000,000,000 | ---- | C] () – C:\Users\Somu\AppData\Local\QSwitch.txt
[2009-07-04 03:51:08 | 000,000,000 | ---- | C] () – C:\Users\Somu\AppData\Local\DSwitch.txt
[2009-07-04 03:51:08 | 000,000,000 | ---- | C] () – C:\Users\Somu\AppData\Local\AtStart.txt
[2009-07-04 03:50:59 | 000,004,449 | ---- | C] () – C:\ProgramData\HPWALog.txt
[2009-06-19 14:36:22 | 000,197,912 | ---- | C] () – C:\Windows\System32\physxcudart_20.dll
[2009-06-19 14:36:22 | 000,058,648 | ---- | C] () – C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009-06-19 14:36:22 | 000,058,648 | ---- | C] () – C:\Windows\System32\AgCPanelSwedish.dll
[2009-06-19 14:36:22 | 000,058,648 | ---- | C] () – C:\Windows\System32\AgCPanelSpanish.dll
[2009-06-19 14:36:22 | 000,058,648 | ---- | C] () – C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009-06-19 14:36:22 | 000,058,648 | ---- | C] () – C:\Windows\System32\AgCPanelPortugese.dll
[2009-06-19 14:36:22 | 000,058,648 | ---- | C] () – C:\Windows\System32\AgCPanelKorean.dll
[2009-06-19 14:36:22 | 000,058,648 | ---- | C] () – C:\Windows\System32\AgCPanelJapanese.dll
[2009-06-19 14:36:22 | 000,058,648 | ---- | C] () – C:\Windows\System32\AgCPanelGerman.dll
[2009-06-19 14:36:22 | 000,058,648 | ---- | C] () – C:\Windows\System32\AgCPanelFrench.dll
[2009-04-25 10:58:25 | 000,000,105 | ---- | C] () – C:\ProgramData{d36dd326-7280-11d8-97c8-000129760cbe}.log
[2009-04-25 10:58:15 | 000,000,032 | ---- | C] () – C:\ProgramData{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
[2009-04-25 10:57:40 | 000,000,032 | ---- | C] () – C:\ProgramData{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
[2009-04-25 10:57:00 | 000,000,032 | ---- | C] () – C:\ProgramData{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
[2009-04-25 10:55:36 | 000,000,032 | ---- | C] () – C:\ProgramData{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
[2009-02-27 15:43:38 | 000,000,109 | ---- | C] () – C:\ProgramData{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
[2009-02-27 15:37:58 | 000,000,110 | ---- | C] () – C:\ProgramData{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
[2009-02-27 15:36:02 | 000,000,105 | ---- | C] () – C:\ProgramData{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
[2009-02-27 15:34:43 | 000,000,107 | ---- | C] () – C:\ProgramData{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
[2009-01-22 00:34:38 | 000,159,744 | ---- | C] () – C:\Windows\System32\atitmmxx.dll
[2007-11-14 22:17:34 | 000,204,800 | ---- | C] () – C:\Windows\System32\CogentBioSDK.dll
[2006-11-02 12:35:32 | 000,005,632 | ---- | C] () – C:\Windows\System32\sysprepMCE.dll
[2006-11-02 07:40:29 | 000,013,750 | ---- | C] () – C:\Windows\System32\pacerprf.ini
[2001-11-14 20:56:00 | 001,802,240 | ---- | C] () – C:\Windows\System32\lcppn21.dll

========== LOP Check ==========

[2009-08-12 20:19:23 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\DAEMON Tools Lite
[2009-07-04 03:51:06 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\DigitalPersona
[2010-03-07 19:45:51 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\muvee Technologies
[2009-09-28 12:18:24 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\Opera
[2009-09-27 05:52:43 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\PeerNetworking
[2010-03-09 22:30:02 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\QuickScan
[2009-08-21 19:00:10 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\Samsung
[2010-03-07 11:22:20 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\SmartVoip
[2009-08-11 16:57:45 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\TuneUp Software
[2010-03-07 22:24:21 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\uTorrent
[2009-07-04 04:02:49 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\WildTangent
[2010-02-21 12:56:01 | 000,000,000 | —D | M] – C:\Users\Somu\AppData\Roaming\WizzTones
[2010-03-10 22:00:00 | 000,000,462 | ---- | M] () – C:\Windows\Tasks\1-Click Maintenance.job
[2010-03-08 23:42:36 | 000,032,632 | ---- | M] () – C:\Windows\Tasks\SCHEDLGU.TXT

6

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%*.* >
[2006-09-18 21:43:36 | 000,000,024 | ---- | M] () – C:\autoexec.bat
[2009-01-30 17:06:12 | 000,333,077 | RHS- | M] () – C:\bootmgr
[2006-09-18 21:43:37 | 000,000,010 | ---- | M] () – C:\config.sys
[2010-03-08 23:46:26 | 3218,251,776 | -HS- | M] () – C:\hiberfil.sys
[2010-03-09 08:06:58 | 3531,841,536 | -HS- | M] () – C:\pagefile.sys
[2009-12-14 20:43:00 | 000,000,611 | ---- | M] () – C:\super_mario_planet.jad

< MD5 for: AGP440.SYS >
[2008-01-21 02:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 – C:\Windows\System32\drivers\AGP440.sys
[2008-01-21 02:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 – C:\Windows\System32\DriverStore\FileRepository\machine.inf_045cfa13\AGP440.sys
[2008-01-21 02:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 – C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008-01-21 02:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 – C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008-01-21 02:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 – C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.16670_none_bbadee55bc0fa552\AGP440.sys
[2006-11-02 09:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 – C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2008-01-21 02:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 – C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008-01-21 02:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 – C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2009-01-30 17:03:12 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=3684D50B14B7982DF38C1E2D154FC465 – C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_75ea9101\atapi.sys
[2009-01-30 17:03:12 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=3684D50B14B7982DF38C1E2D154FC465 – C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.16670_none_ded329341ee89a74\atapi.sys
[2006-11-02 09:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F – C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008-08-16 12:03:39 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=66A1A71D66C5235A31C16F30147E7AF6 – C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_181d523c\atapi.sys
[2008-08-16 12:03:39 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=66A1A71D66C5235A31C16F30147E7AF6 – C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22245_none_dd9b888d3ac35a04\atapi.sys
[2009-02-27 15:19:33 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=9C0E70031905ADBF94EDB9EA14AF943B – C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7f3e4ed9\atapi.sys
[2009-02-27 15:19:33 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=9C0E70031905ADBF94EDB9EA14AF943B – C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22193_none_dd6376773aedb5e4\atapi.sys
[2009-02-27 15:19:33 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E26DDFE464B464DAF1C739122978D1D6 – C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b7393fc6\atapi.sys
[2009-02-27 15:19:33 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E26DDFE464B464DAF1C739122978D1D6 – C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20847_none_dbb74a7b3d9afbc1\atapi.sys
[2010-03-07 22:24:33 | 000,019,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 – C:\Windows\System32\drivers\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006-11-02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D – C:\Windows\System32\cngaudit.dll
[2006-11-02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D – C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: EVENTLOG.DLL >
[2007-05-18 05:34:04 | 000,007,216 | ---- | M] () MD5=C2A279A458A06DE2C83D842AA042B5A8 – C:\Program Files\CyberLink\PowerDirector\EventLog.dll

< MD5 for: IASTORV.SYS >
[2008-01-21 02:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 – C:\Windows\System32\drivers\iaStorV.sys
[2008-01-21 02:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 – C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008-01-21 02:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 – C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006-11-02 09:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 – C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009-01-30 16:58:52 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=275730E252CBC7F78995AAC8AC65620A – C:\Windows\System32\netlogon.dll
[2009-01-30 16:58:52 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=275730E252CBC7F78995AAC8AC65620A – C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.16670_none_ff52b85d3558b42f\netlogon.dll
[2008-01-21 02:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F – C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006-11-02 09:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC – C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008-01-21 02:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 – C:\Windows\System32\drivers\nvstor.sys
[2008-01-21 02:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 – C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008-01-21 02:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 – C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009-01-30 16:58:52 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=26EEC0A77D30A417B5B20A0447F9D030 – C:\Windows\System32\scecli.dll
[2009-01-30 16:58:52 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=26EEC0A77D30A417B5B20A0447F9D030 – C:\Windows\winsxs\x86_microsoft-windows-s…urationengineclient_31bf3856ad364e35_6.0.6002.16670_none_39a8e375d67a3aea\scecli.dll
[2008-01-21 02:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 – C:\Windows\winsxs\x86_microsoft-windows-s…urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll

< c:\windows\system32*.dll /lockedfiles >
[2009-01-30 16:59:14 | 000,242,152 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 – C:\Windows\System32\rsaenh.dll
[2009-01-30 16:58:52 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 – C:\Windows\System32\SLC.dll
[2 c:\windows\system32*.tmp files → c:\windows\system32*.tmp → ]

< c:\windows\system32\drivers*.sys /lockedfiles >
[2009-08-12 20:14:32 | 000,721,904 | ---- | M] () Unable to obtain MD5 – C:\Windows\System32\drivers\sptd.sys

< %systemroot%*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes → C:\ProgramData\Temp:DFC5A2B2
@Alternate Data Stream - 115 bytes → C:\ProgramData\Temp:A8ADE5D8
< End of report >

7

MBAM LOG

Malwarebytes’ Anti-Malware 1.44
Database version: 3849
Windows 6.0.6002 Service Pack 2, v.286
Internet Explorer 7.0.6002.16670

10-03-2010 22:26:51
mbam-log-2010-03-10 (22-26-51).txt

Scan type: Quick Scan
Objects scanned: 114790
Time elapsed: 15 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

8

Sorry couldnt figure out the attachment option was there… ;D
here goes…

9

No problem I saw the possible culprit - I will need you to run two programmes for me

Download TDSSKiller and save it to your Desktop.

[*]Extract the file and run it.
[*]Once completed it will create a log in your [b]C:[/b] drive
[*]Please post the contents of that log

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

10

Hi essexboy,

I guess I managed to get the malware removed from my system. TDSS killer found infected files and deleted them.
Avast is not reporting any more virus/trojans :slight_smile: Lets see how this goes. Will monitor the system for few days.
I have attached the logs of combofix and TDSS killer.

THANKS A TON for your help!!

What all antispyware/antiadware/Firewall you suggest to have besides avast ?
I guess Comodo Firewall will do ?

11
What all antispyware/antiadware/Firewall you suggest to have besides avast ?
Malwarebytes PRO a one time fee for a liftime license www.malwarebytes.org SAS www.superantispyware.com Outpost free http://free.agnitum.com/
12

Thanks a lot Guys for your help and support. Appreciate the effort you guys are putting in! Keep it up!!

13

One more run I fear - All I use is Avast and an occasional check with MBAM

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


MBR::

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .
14

Hi essexboy,

Your suspicion was right. MBR might have a rootkit infection as suggested by the Combofix log.
Yesterday I got a new trojan/virus alert from avast! Win32-Trojan-gen to be precise in C:\Windows\System32 folder.

So I started from scratch. Did Scans by MBAM, SAS and combofix (by the CFScript you mentioned). And all found malware/adware again :frowning:
Can you please guide me again ?

Please find the logs attached and help. Thanks a million!

15

Hopefully this should be the last

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


MBR::

File::
c:\windows\system32\kflrupp.dll 

Driver::
wubqyoth

NetSvc::
wubqyoth

Reg::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9FCD0D10-51AB-41DB-B9F4-2837D070C03F}]
[-HKEY_CLASSES_ROOT\CLSID\{9FCD0D10-51AB-41DB-B9F4-2837D070C03F}]

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTL log.
16

Hi ,

Please find the logs attached.

17

Looks a lot better now - let me know of any problems on completion of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O2 - BHO: () - {9FCD0D10-51AB-41DB-B9F4-2837D070C03F} - C:\Windows\System32\kflrupp.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
[2010-03-11 22:32:34 | 000,000,000 | ---- | C] () -- C:\ProgramData\jbe4wd4a91xc74jxwv6oq2si.ini
[2010-03-11 22:32:15 | 000,000,024 | ---- | C] () -- C:\ProgramData\kfdtk.ini

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

18

Hi essexboy,

I have done the above. It cleaned up everything. Hope the system is atable now onwards.
Thanks a ton for your invaluable support! :slight_smile:

I have attached the

19

Run for a day or so now - and if no further problems I will remove my tools -